How I Hack Web Applications (Part 1)
The documentations I use in web penetration testing
I have never talked about my web hacking experience. So I decided to write a series on it. Here I will share how I approach web applications from a security perspective. In the first part of the series, I will discuss some guides and standards that contain the weaknesses and steps of exploitation. So this article is a theoretical beginning of my hacking style.
The Bugs That I Look for
As you guys know, there are a variety of security issues that can be found in web applications. Each bug has different types and techniques that come under specific groups. So a security tester must have a comprehensive list of them. I use different sources to track the vulnerabilities of which I conduct security assessments. Although these bugs overlap in several guides. You can make your own curated checklist if the resources below are too overwhelming.
- OWASP (https://owasp.org/www-project-web-security-testing-guide/v42/)
- MITRE (https://cwe.mitre.org/)
- WASC (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
- Bugcrowd’s VRT (https://bugcrowd.com/vulnerability-rating-taxonomy)
- HackerOne’s Weakness Types (https://docs.hackerone.com/en/articles/8475337-types-of-weaknesses)
- Cobalt’s Vulnerability Wiki (https://www.cobalt.io/vulnerability-wiki)
- HackTricks (https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology)
- PayloadsAllTheThings (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/)
- Tushar Verma’s WAPT Checklist (https://alike-lantern-72d.notion.site/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6)
- AllAboutBugBounty (https://github.com/daffainfo/AllAboutBugBounty)
The Pentest Frameworks I Follow
The penetration testing frameworks are industry standards used to assist security professionals in performing security tests. There are several of them.
- PTES (http://www.pentest-standard.org/index.php/Main_Page)
- ISSAF (https://untrustednetwork.net/files/issaf0.2.1.pdf)
- OSSTMM (https://www.isecom.org/OSSTMM.3.pdf)
- NIST SP 800–115 (https://csrc.nist.gov/pubs/sp/800/115/final)
Methodologies I Use
The methodology is any guide, checklist, or note that shows how flaws are exploited using various tools and techniques. There is no certain size or format of methodology since different people have different ones. Many people keep their methodology secret while others document or post it publicly. If you search with keywords like “Bug Bounty Methodology” and “Web Penetration Testing Checklist” then you will find many.
https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md
https://www.redteamsecure.com/services/penetration-testing/web-application-penetration-testing/methodology/
https://docs.google.com/spreadsheets/u/0/d/1TxNrvaIMRS_dmupcwjwJmXtaFk_lPGE1LzgxPu_7KqA/htmlview
https://pentestbook.six2dez.com/
https://owasp.org/www-project-web-security-testing-guide/latest/
https://github.com/OWASP/CheatSheetSeries
http://www.pentest-standard.org/index.php/Main_Page
https://www.amanhardikar.com/mindmaps/webapptest.html
https://www.sans.org/top25-software-errors/
http://projects.webappsec.org/w/page/13246978/Threat Classification
https://thehackerish.com/my-bug-bounty-methodology-and-how-i-approach-a-target/
https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html
https://medium.com/@cc1h2e1/bug-bounty-check-list-by-c1-2beb7ae3c116
https://gowthams.gitbook.io/bughunter-handbook/
https://gbhackers.com/web-application-penetration-testing-checklist-a-detailed-cheat-sheet/
https://github.com/irsdl/top10webseclist
https://raviramesh.info/mindset.html
https://danielv.com.br/cheatsheets/
https://alike-lantern-72d.notion.site/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6
https://www.mindmeister.com/1470766611/web-app-pentest
https://www.mindmeister.com/1475822242/bug-hunting
https://www.mindmeister.com/49183531/web-application-security
https://www.mindmeister.com/1349784699/web-application-security
https://github.com/1ndianl33t/Bug-Bounty-Roadmaps
https://github.com/heilla/SecurityTesting
https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html
https://blog.p6.is/Web-Security-CheatSheet/
https://mobile.twitter.com/Virdoex_hunter/status/1289185424825491456
https://mobile.twitter.com/KathanP19/status/1481124091268857856
https://chennylmf.medium.com/web-application-penetration-testing-checklist-5fca45f6960d
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/
https://naglinagli.github.io/BugBounty/
https:/gowsundar.gitbook.io/book-of-bugbounty-tips/
https://medium.com/@mahendrapurbia19/bug-hunting-methodology-for-beginners-20b56f5e7d19
https://www.hackerone.com/top-ten-vulnerabilities
https://hacklido.com/blog/183-web-app-pentesting-checklist
https://github.com/dsopas/assessment-mindset
https://github.com/iamthefrogy/Web-Application-Pentest-Checklist
https://github.com/riramar/Web-Attack-Cheat-Sheet
https://github.com/attacker-codeninja/AllThingsBugHunting
https://github.com/KathanP19/HowToHunt
https://kathan19.gitbook.io/howtohunt/
https://github.com/irsdl/top10webseclist
https://0xn3va.gitbook.io/cheat-sheets/
https://github.com/daffainfo/AllAboutBugBounty
https://github.com/EdOverflow/bugbounty-cheatsheet
https://danielmiessler.com/projects/webappsec_testing_resources/
https://www.notion.so/Bug-Bounty-notes-1ae08b47f3e84aa8adbe4158bd695316
https://www.xmind.net/m/2QyGbx/
https://cheatsheetseries.owasp.org/
https://www.xmind.net/m/2FwJ7D/
https://www.xmind.net/embed/9UTn/
https://book.hacktricks.xyz/
https://github.com/IamLucif3r/Bug-Hunting
https://mobile.twitter.com/fasthm00/status/1268528699382562823
https://erev0s.com/tools/web-application-assessment-check-list/
https://github.com/imran-parray/Mind-Maps
https://github.com/R-s0n/Bug_Bounty_Notes
https://www.getastra.com/blog/security-audit/web-application-security-testing/
https://www.guru99.com/complete-web-application-testing-checklist.html
https://hackercombat.com/web-application-penetration-testing-checklist/
https://github.com/Voorivex/pentest-guide
https://github.com/The-XSS-Rat/SecurityTesting/blob/master/Checklists/webAppSec.md
https://thehackerish.com/my-bug-bounty-methodology-and-how-i-approach-a-target/
https://infosecwriteups.com/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65?gi=597d8b569121
https://infosecsanyam.medium.com/bug-bounty-methodology-ttp-tactics-techniques-and-procedures-v-2-0-2ccd9d7eb2e2
https://aaryanapex.medium.com/bug-bounty-methodology-web-vulnerabilities-checklist-86175dd29987
https://aaryanapex.medium.com/bug-bounty-methodology-bug-hunting-checklist-part-1-3274ad868209
https://aaryanapex.medium.com/bug-bounty-methodology-bug-hunting-checklist-part-2-4e546533245
https://blog.usejournal.com/bug-hunting-methodology-part-1-91295b2d2066
https://github.com/jhaddix/tbhm
https://www.shellinthecity.com/bug-bounty-hunter-methodology/
https://www.notion.so/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6
http://apps.testinsane.com/mindmaps/uploads/html/INSANE%20Web%20Security%20Testing%20MindMap.html
https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/web-app-hacking/
https://mr-msa.notion.site/mr-msa/Write-ups-Tips-0b10fa38dc64499192dcf8df8ec56da9
https://infosecwriteups.com/bug-hunting-methodology-for-beginners-20b56f5e7d19
https://dev.to/therceman/how-to-start-bug-bounty-hunting-short-intro-1k0e
https://systemweakness.com/how-to-hack-any-website-c08daec978f6
I know the list is too big! Pick a few ones that you think are exclusive and you are comfortable with. Choose them wisely since all aren’t appropriate in all engagements. Traditional Pen-Test has unlimited scope and the target remains fresh. Then comes Bug Bounty/Responsible Disclosure, bound with a certain range of scopes. This phase requires comprehensive testing. Surface-level issues are typically addressed during the initial security test in the production environment. That’s why crowdsourced pen-testing is challenging and requires creativity, analytical thinking, and research capacity to discover complex vulnerabilities. In traditional PenTest, you are allowed to run vulnerability scanners to identify and report security issues. Bug bounty requires manual inspection and crosschecking of the assessment done by these tools. In Bug Bounty, don’t rely blindly on someone else’s methodology. Otherwise, you might face duplicate/burnout cause other people(s) follow that too. Develop your methodology by studying others. Change it constantly with new discoveries and experiences from your submissions.
